Zone Protection for Multi-path TCP (MPTCP) Evasions

You can now enable or disable Multi-path TCP (MPTCP) globally or for each network zone. MPTCP is an extension of TCP that allows a client to simultaneously use multiple paths (instead of a single path) to connect with a destination host. MPTCP especially benefits mobile users, enabling them to maintain dual connections to both Wi-Fi and cellular networks as they move—this improves both the resilience and quality of the mobile connection and enhances the user experience. However, MPTCP can also potentially be leveraged by attackers as part of an evasion technique. This feature provides the flexibility to enable or disable MPTCP for all firewall traffic or for individual network zones, based on the visibility, performance, and security requirements for each network zone.
By default, MPTCP support is disabled on the firewall, and the firewall converts MPTCP connections to regular TCP connections. However, you can choose to enable MPTCP support globally or for certain network zones.
  • For all firewall traffic.
    You can use the following CLI command to enable or disable MPTCP support for firewall traffic:
    set deviceconfig setting tcp strip-mptcp-option [no | yes]
    • Enter no to enable MPTCP support (the firewall does not remove the MPTCP option field from packets).
    • (Default) Enter yes to convert MPTCP connections to TCP connections (the firewall removes the MPTCP option field from packets).
  • For a network zone.
    Zone protection profiles allow you to set up security between network zones. Following the upgrade to PAN-OS 8.0, both existing and new zone protection profiles are set to support MPTCP by default.
    Take the following steps to enable or disable MPTCP support for a specific network zone:
    1. Select NetworkNetwork ProfilesZone Protection and modify or Add a zone protection profile.
    2. Select Packet Based Attack ProtectionTCP Drop.
    3. Select one of the Multipath TCP (MPTCP) Options to apply to the network zone:
      • no—Enable MPTCP support (do not strip the MPTCP option).
      • yes—Disable MPTCP support (strip the MPTCP option). With this option configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
      • global—Support MPTCP based on the global MPTCP setting For all firewall traffic.
    4. Click OK to save the profile.
      If MPTCP support is disabled globally, but you want to support MPTCP for certain network zones, make sure that you enable MPTCP for each zone through which traffic traverses.

Related Documentation